As a Systems Administrator, it is always a good security measure to audit your Active Directory accounts on a regular basis. Tools like Netwrix can help automate this process by sending you daily reports. Interactive user accounts should always have passwords follow the password policy. On the other hand, you don’t want a service account password to expire which could cause your applications to stop working.
The good news is that there’s a Powershell command you can run that will export all of the Active Directory accounts that have their passwords set to never expire into a CSV file.
See Whose Active Directory Account Password Is Set To Never Expire
Run the following command in Powershell ISE:
Search-ADAccount -PasswordNeverExpires | Select-Object Name,ObjectClass,PasswordNeverExpires | Export-Csv c:tempusers_password_expiration_false.csv
The above command will create a file in C:Temp on the machine you run it on called users_password_expiration_false.csv. The report will include all accounts for interactive users and service accounts, but you can filter the results.
The command will run on the currently associated Active Directory domain. If you want to run it on another domain, just log into a server on that domain and run the same script.
How do you audit user accounts whose passwords are set to never expire? Let us know in the comments below.